Scan execution policies show as 'enabled' in excluded projects despite never triggering

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Summary

When viewing a scan execution policy from a project that it excludes, the policy incorrectly displays as "enabled" even though it won't be triggered for that project.

Steps to reproduce

  1. Create a subgroup and then two projects within it.
  2. Create a scan execution policy with any number of security scans enabled in the subgroup and exclude Project A from it.
  3. Navigate to Secure > Policies in Project A and note that the inherited subgroup scan is marked as "enabled".
  4. Make a change in Project A and then create an MR, observe that a pipeline does not run.
  5. Make a change in Project B and then create an MR, observe that a pipeline does run.

What is the current bug behavior?

The policies interface shows the inherited policy as "enabled" in Project A, misleadingly suggesting it will execute despite Project A being excluded from its scope.

What is the expected correct behavior?

The policies viewer should indicate when a project is excluded from an inherited policy.

Relevant logs and/or screenshots

Subgroup:

Screenshot_2025-10-30_at_11.07.42_AM

Project:

Screenshot_2025-10-30_at_11.07.30_AM

Output of checks

This bug happens on GitLab.com

Edited by 🤖 GitLab Bot 🤖